Another week of links only; I’m going to try get back to scheduled programming next week but that may be tough. Will do my best 🙂

FORENSIC ANALYSIS

• Port139
  ActivitiesCache.dbとアクティビティ削除(3)

• Arsenal Consulting
  • Quick Look Cache Parsing
  • Arsenal Quick Look Cache Parsing
  • Collecting Quick Look Data From a Live macOS System

• Cyber Forensicator
  TrueCrypt Container Recovery

• Didier Stevens
  Encrypted OOXML Documents

• Digital Forensics Corp
  • Forensic Analysis Instant Messengers Desktop Applications
  • Modern private investigators must embrace digital forensics skills

• Elcomsoft
  • Apple Probably Knows What You Did Last Summer
  • The iOS File System: TAR and Aggregated Locations Analysis

• Forense nella Nebbia
  UsrClass.dat stores more history than you think

• Hacking Exposed Computer Forensics Blog
  • Daily Blog #382: Sunday Funday 6/3/18
  • Daily Blog #386:Exploring Extended MAPI Part 3
  • Daily Blog #383: Daily Blog Schedule
  • Daily Blog #384:Exploring Extended MAPI Part 1
  • Daily Blog #385:Exploring Extended MAPI Part 2
  • ETW Event Tracing for Windows and ETL Files
  • Daily Blog #387:Forensic Lunch 6/8/18 live from the DFIR Summit
  • Daily Blog #388: Soltuion Saturday 6/9/18

• Initialization vectors
  Android Remote Desktop Apps – Microsoft RDP

• Inside Out
  How to acquire Linux memory images using without a driver

• Koen Van Impe
  RDP logs and incident response

• Righteous IT
  XFS Part 5 – Multi-Block Directories

• Salt Forensics
  AWS for Forensics (1)

• ThinkDFIR
  Speaking to Google Home’s

• Gabriele Zambelli
  Check out @gazambelli’s Tweet
  

THREAT INTELLIGENCE/HUNTING

• Volexity
  Patchwork APT Group Targets US Think Tanks

• Carbon Black
  Excerpts from Modern Bank Heists – Non Malware Attack Methods

• Endgame
  Introducing Event Query Language

• Hexacorn
  • Logman, the Windows volverine
  • Beyond good ol’ Run key, Part 79

• HolisticInfoSec
  toolsmith #133 – Anomaly Detection & Threat Hunting with Anomalize

• Icebrg
  Adobe Flash Zero-Day Leveraged For Targeted Attack In Middle East

• Microsoft Azure
  Detecting script-based attacks on Linux

• Palo Alto Networks
  Sofacy Group’s Parallel Attacks

• SpecterOps
  Threat Gets A Vote: Applying a Threat Based Approach to Security Testing

• Red Canary
  Slaying Evil Around the Clock with Red Canary’s Cyber Incident Response Team

• Olaf Hartong
  • Endpoint detection Superpowers on the cheap — part 1
  • Endpoint detection Superpowers on the cheap — part 2 — Deploy and Maintain

• Syspanda
  Monitoring VPN Logins & Incorporating them to AD

• FireEye
  Reverse Engineering the Analyst: Building Machine Learning Models for
  the SOC

• Tilting at windmills
  • On reported APT trends
  • Kevin Mandia on Nation State Actors
    

UPCOMING WEBINARS/CONFERENCES

• Comae
  Memory Forensics with Comae

• Cisco Talos
  Talos Threat Research Summit Guide and Cisco Live Preview
  

PRESENTATIONS/PODCASTS

• Adrian Crenshaw
  ShowMeCon 2018

• Brakeing Down Incident Response
  BDIR EP-004

• Flashpoint
  Collective Intelligence Podcast, Cisco Talos on VPNFilter Malware Attacks

• Forensic Lunch
  Forensic Lunch: 6/8/18 –

• Magnet Forensics
  • Getting Started with Magnet AXIOM Examine – Magnet.AI
  • Getting Started with Magnet AXIOM Examine – Connections

• Digital Forensic Survival Podcast
  DFSP # 120  – Rita

• Richard Davis
  Some Assembly Required

• SANS
  DFIR Summit & Training 2018

• SANS CTI Summit
  Determining the Fit & Impact of CTI Indicators on Your Monitoring Pipeline – SANS CTI Summit 2018

• Trail of Bits
  QueryCon 2018: our talks and takeaways
  

MALWARE

• Joe Security
  Analysing VPNFilter with Joe Sandbox Linux

• Carbon Black
  Carbon Black TAU Threat Analysis: Emotet Banking Trojan Leverages MS Office Word Docs, PowerShell to Deliver Malware

• Check Point Research
  Banking Trojans Under Development

• Endgame
  What Year Is It? VB6 Payload Crypter

• Huntress Labs
  Deep Dive: .NET Malware — Peeling Back the Layers

• JPCERT/CC
  PLEAD Downloader Used by BlackTech

• Malwarebytes Labs
  Malware analysis: decoding Emotet, part 2

• Marco Ramilli
  DMOSK Malware Targeting Italian Companies

• SandmaxPrime
  MalDoc Analysis – Geodo

• SANS Internet Storm Center
  Malspam pushing coin miner and other malware, (Fri, Jun 8th)

• Cisco Talos
  VPNFilter Update – VPNFilter exploits endpoints, targets new devices

• So Long, and Thanks for All the Fish
  • Using MFT anomalies to spot suspicious files in forensic analysis
  • Dumpzilla: a forensic tool to extract information from browsers based on Firefox

• FireEye
  A Totally Tubular Treatise on TRITON and TriStation

• TrendLabs
  New KillDisk Variant Hits Latin American Financial Organizations Again

• VMRay
  The Evolution of Gandcrab Ransomware
  

MISCELLANEOUS

• Blackbag Technologies
  Examination Platforms – Mac or Windows?

• CCL Group
  Defence Cases

• Chip DFIR
  Immersive Labs Practical Skills Platform

• DriveSavers
  Data Recovery Will Still be Available with iOS 12 USB Restricted Mode

• DFIR Training
  Get out of learning mode!  aka: Break Your Groundhog Day cycle

• Didier Stevens
  Quickpost: John & Dummy Hashes

• Digital Forensic Science
  • Linking Organized Crime and Cybercrime
  • Cybersecurity Revolution Conference 2018: Lessons learned

• Digital Forensics Magazine
  Drone Forensics Gets a Boost With New Data on NIST Website

• Forensic 4Cast
  • 2018 Awards
  • Future of the Forensic 4:cast Awards
  • Future of the Forensic 4Cast Awards

• Hacking Articles
  • Beginners Guide for John the Ripper (Part 1)
  • Working of Traceroute using Wireshark
  • Beginners Guide for John the Ripper (Part 2)

• Scar de Courcier
  How I Plan My Books

• Security Intelligence
  Incident Response and Digital Forensics: Will You Buy or Build?

• The Eclectic Light Company
  • APFS will finally be supported on Fusion Drives – in macOS 10.14 Mojave
  • APFS comes to Fusion Drives, but there’s no sign of Time Machine 2
  • The unified log in macOS Mojave: Signposts and Instruments

• Troy 4N6
  Quick Tip on Reviewing Report/Discovery PDFs
  

SOFTWARE UPDATES

• Cellebrite
  UFED Physical Analyzer 7.6 [June 2018]

• Elcomsoft
  ElcomSoft Tool Helps Analyse Location Data from iOS Devices

• Ryan Benson
  Synopsis

• ExifTool
  ExifTool 11.00 (production release)

• KaniVola 0.12
  KaniVola 0.12

• Evimetry
  Announcing Evimetry Lab: changing  the game for in-lab forensics

• MISP
  MISP 2.4.92 released (aka performance improvement)

• Shelly Giesbrecht
  Check out @nerdiosity’s Tweet

• IsoBuster
  IsoBuster 4.2 Beta released

• Mac_apt
  Check out @SwiftForensics’s Tweet

• TestDisk
  TestDisk/PhotoRec

• X-Ways
  X-Ways Forensics 19.7 Preview 4
  

And that’s all for Week 23! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!